Hacker News new | past | comments | ask | show | jobs | submit login
Zoho.com CEO says domain with 40M users suspended for abuse complaint (twitter.com/svembu)
500 points by achynet on Sept 24, 2018 | hide | past | favorite | 256 comments

Zoho CEO here.

Our domain was abruptly blocked by our registrar this morning. Our NOC team and myself tried to get in touch with them and they tell us "Contact our legal". Even I could not get in touch with anyone beyond their phone operator. The domain was restored, but as DNS takes time to restore, we are still facing issues. They later claimed there were abuse complaints about Zoho.com emails (which is our personal email service with millions of free and paid users). We received a total of 3 complaints from them and two of them have been acted upon and one is under investigation.

Once we dig our way out of this, we will find ways make sure no one takes down our domain again this way.

Just FYI, I'm one of the maintainers of a mid-size forum regarding opensource virtualization/containers and thus spam is a daily occurrence.

While the fight against it is rather dire and no end will ever be in sight, I'll nonetheless never stop (tool assisted) fighting.

Anyway, @zoho.com addresses used by spammers started to pop up circa a month ago and increased rapidly in occurrence. As we use stopforumspam to report and track spammer info (and surely are not the single forum seeing those @zoho.com domains) you may got a few flags raised somewhere.

Not sure what caused this sudden (from our POV) attraction of spammers using zoho, you may want to look into some defense against this. While a full solution may not be achievable it's often enough to be faster than other providers, aka the tiger defense ;-)

It sounds like the spammers found a way to automatically create new @zoho.com email accounts, and the single way to stop them might be using a CAPTCHA service from the direct competitor, Google. At least that was the unfortunate case for the privacy focused German email provider Mailbox.org[1]:

> We recently detected activities on our servers where bot nets were used to create hundreds of thousands of e-mail accounts for the sending of spam e-mail. Although we take this as a compliment – somebody out there must be convinced our infrastructure is up for the job – we needed to find a solution to stop this abuse of our service, of course. We subsequently deployed a number of different CAPTCHA systems to help our servers identify bots during registration. However, spammers were able to circumvent all these solutions shortly after they were put in place. [...] We therefore decided to use Google’s CAPTCHA for the time being, because out of the set of solutions we tried thus far, this one seems to work best.

[1] https://userforum-en.mailbox.org/knowledge-base/article/goog...

If you’d like to use a strong captcha approach without using a competitor you might want to check out http://funcaptcha.com (I have no affiliation, have heard good things and been presented it on a couple of sites)

The "Book Demo" button and "read white paper" button seem to be broken, which does not inspire much confidence. The first button just takes me to the bottom of the page while the second button does nothing.

Not sure if this is the same, but I once came across a website with a captcha where you had to rotate a dog so it stood upright, but it was lagging so bad that it would skip several frames, making it impossible to time the angle correctly. After several minutes of trying I gave up and went to a different website with an inferior service, but which did not waste my time.

The site requires you to whitelist marketo.com which is blocked on uMatrix as it's a marketing company.

Both buttons work for me on mobile. Can't be sure, but that page looks like a JavaScript heavy "single page app" type situation, so if your JS is turned off that might explain things.

Incidentally, both links just pop up a sign-up form.

  a captcha where you had to rotate a dog so it stood upright
Ticketmaster uses one like this, with various animals.

The link redirects to some other site now.

I suppose due to the increasing risk of being broken by competing neural networks, recaptcha appears to be moving towards a model based on usage heuristics in v3. This is something that is more easily achievable by a small startup, so I hope to see competition for this type of solution if there isn't some already.

> recaptcha appears to be moving towards a model based on usage heuristics in v3

I always thought that Google has a huge competitive advantage here, because most people browse the web being logged into their Gmail accounts, and, therefore, as with Google Analytics and Google Adsense, Google knows that it's you who is viewing that page. It can then present extremely time-consuming CAPTCHAs to anonymous visitors, most of whom are likely to be bots or the spammers themselves.

...or running a logged off browser with cookied restricted to the browser session. I spend my time solving captchas which I am getting sick of. My immediate reaction now when presented a captcha is to browse away.

That is pretty terrible if the web is being split into "google knows who you are and approves of you visiting this website" vs not being tracked by google and being treated as a second class user.

Using google with a vpn (PIA) was a non-starter. I usually had to solve 3 or 4 puzzles before I could get to results. Privacy is important to me and it is just as important for them to deny me it.

Interesting--I'm trying Nord right now and while Google has been fine, Amazon blocks me regardless of what I do and I ended up having to add some static routes for Craigslist.

Well said

They are not treating you as second class citizen, they are saying they haven't trust you to be human yet. Which is the whole point of capcha.

You want Google to not know about you. You want to be a stranger to them. And you are complaining that they don't trust stranger, which you want to be, as much as someone they know?

If it's about using only Google's services, then yes I agree, but the point is if lots of random sites all decide to use Google for captchas.

This has already happened with tor and Cloudflare, but at least that changed for the better recently (see https://www.zdnet.com/article/cloudflare-ends-captcha-challe...). In that case it was just one CDN using captchas to discriminate against a group of users, so that one change by the CDN could fix the issue. If too many random sites are independently blocking or slowing down anyone not logged into Google, then that'll turn the web into Google's web.

I can relate to what the previous poster said. The worst thing is that this happens even for services I pay for. Some of them even do that for logging in.


Yeah I'm with you. I like to browse with everything logged out, and I clear all content on browser close.

I'm so bloody sick of helping Google train their self driving cars. I swear I'm going to have PTSD about stop signs and store fronts for the rest of my life.

I've started deliberately getting them wrong - probably won't make a difference, but makes me feel a little better about it (I drew the line when I started getting CAPTCHAs on services I have paid for).

>> I'm so bloody sick of helping Google train their self driving cars. I swear I'm going to have PTSD about stop signs and store fronts for the rest of my life.

> I've started deliberately getting them wrong - probably won't make a difference, but makes me feel a little better about it

I don't even have to try anymore to get them wrong on a regular basis. Now, I think it's now more like training Google users to make the same recognition errors as its self-driving cars than training the cars to do a better job.

Ditto here. And some of the worst offenders are retailers! You're trying to get someone to spend real money, and you think it's a good idea to make them screw around with 20 picture puzzles in a row before they're able to do that?!

I can only fathom these shops, both management and the webdevs, have no idea how unprofessional their site looks to anyone that isn't using a vanilla ISP connection. And my experience is coming from using a single longstanding VPS address, not even a shared VPN.

A sensible scheme would allow a certain rate of login attempts per any IP before hassling a user, but Google is obviously more interested in getting their training data than making sure you don't lose customers!

Thank you Cloudflare for contributing to that nonsense.

While I too leave sites that are too annoying to use, as a dev, what are other less annoying ways to slow down bots on one's site?

I am working on exactly this at hcaptcha.com

Not sure why, but when I try to load your site in Safari or Chrome on iOS, the page displays for a second and then the tab crashes.

This is really neat!

hCaptcha definitely a way to go - strong product, not working with competition, etc.

As a network engineer for an ISP, I can tell you that StopForumSpam reports generally don't make it on our radar. Cisco Talos IP reputation, SpamHaus, SpamCop and various other DNSBLs do make it on our radar and are proactively monitored by most responsible ISPs.

That being said, the proper way to report abuse to an ISP is to email the official point of contact for abuse associated with their IP netblock. In the case of Zoho, that contact info can be found here: https://bgp.he.net/AS2639#_whois

ARIN rules require that all IP netblock owners provide a valid point of contact for abuse issues. ARIN validates the points of contact annually. I believe that RIPE, APNIC and LACNIC have similar rules.

If an ISP doesn't act on the abuse after it has been reported to their abuse point of contact, then you have a legitimate complaint against them.

Hi Sorry for the issue caused to you. Can you provide few email address to abuse at zoho.com, so we would take appropriate action after investigations. Regards. Rajasekar Zoho Abuse Monitoring Desk.

Second that as we’ve started to see fraud related registration activity from zoho.com around the end of August.

Dear Siv,

Thank you for your notification, will check on this and block those who spam using our system. However please put up an email to abuse at zoho.com so it would help us provide clue to our investigations. Reg Rajasekar Zoho Abuse Monitoring Desk.

Did you see this comment? Just passing it along in case it is helpful.


If you have 40M users I suspect the annual cost from the registrar is very small part of the budget. Get a registrar where you don't have to deal with a phone operator.

I work in this industry and it's a very clear separation between bulk registrars and those that maintain fewer but high value domain names. The latter usually give you a personal contact person to call and work proactively to deal with threats to companies' domain names and trade marks. I don't think I have ever heard of a domain being abruptly suspended by such a registrar.

The cost is usually 5x-10x that of the cheapest registrars so there is naturally a balance to be struck, and as I work in this industry I might be a bit biased. However the damage when waiting on the TTL when registries update NS records sounds very substantial when they first suspend and later restore a domain name in what sound as a very reckless behavior.

Yes, that is good advice. We are reviewing all our processes about domain registries right now. Major lesson learned, and I would encourage other companies to think this through and learn from our experience today.

I learned this the hard way just a few months ago with Namecheap. Those guys dumped all of my personal information to some people (my name, address, phone number, etc.). I have kids in my home and all they offered me was $100 in Namecheap credit, which I didn't accept out of principle. I spoke with a lawyer and the privacy laws in the U.S. seem to make it not even worth going after them. Registrars basically can do what they want and it's hard to hold them accountable.

What people? Why are you scared of them? Should I be worried, as I have domains at namecheap.

Check out https://news.ycombinator.com/item?id=14139288

Never use namecheap for anything important.

I almost has a domain frozen with namecheap after one warning. If I missed the warning email or checked my email after 24 hours they would have completely suspended my domain. I'm talking about a site with MILLIONS of visitors per month and ten thousands of posts per day, not some small blog.

I’m in the same position and would love to hear more as well

Here's a quick timeline.

I did some work for a client in 2017 who was starting a cryptocurrency business. This involved buying a domain name for him to transfer to him later.

Well in 2018 there was some internal strife in his business that ended with a lawsuit being started. The opposing party started sending subpoenas to Namecheap asking for all information from 2018 onwards in relation to his account. What ended up happening was they released all of my information about my purchases, domains, personal information(anonymized credit card info, my actual physical address, information about my other unrelated clients domains, etc.)... going back to the start of my account.. several years worth of data prior to 2018. All clearly out of scope of the subpoena they were served.

Not only that, Namecheap never notified me of this.. in violation of their own privacy policy. They're supposed to notify their customers of the release of their information in relation to subpoenas by email or certified mail. Instead I found out much later from my previous client when he was given a copy of all of my information. And presumably his opposing parties in the crypto space were also given all of my information.

Seems kind of messed up to release all of that erroneously, without warning... especially to shady people in the crypto space.. you know, with people getting kidnapped over this stuff.

TL;DR Namecheap will drop your info, even if you paid to protect it as soon as they're given a single demand letter. And they won't stop at just giving up the info that's asked for (with 0 fight and 0 notification to you) there's a chance they'll release ALL of your account information.

Thank you for sharing that awful story. Sorry you had to go through it. Quite disappointing to a customer of Namecheap as well.

See my comment above.

I repeat don't use namecheap for any meaningful business, especially anything that is "enterprise"

Cloudflare Secure Registrar - I know you guys probably in some ways compete with Cloudflare, but maybe give them a call. Or for that matter become your own registrar and get into the corporate registrar business. With this experience under your belt, no doubt you'll crush it!

FWIW, CF's registrar is nice, but also represents an extreme form of lock-in on the part of Cloudflare -- the registrar subscription is specifically tied to your enterprise plan and will be terminated if you are not using other CF products.

That is not the case anymore. We would still allow you to continue to purchase just registrar.

Oh, fantastic! I'll let my former colleagues know, assuming no one else has reached out to them (this was a pretty specific piece of feedback we had re registrar, so great to hear that it's changed).

Do you have enough capital to become a registrar?

It's not just capital, becoming accredited is a major paperwork and logistical hassle, and you have to do it with every TLD you want to support.

Pretty sure they only need to worry about dot com.

Which register do you recommend?

MarkMonitor is what Facebook, Google, Apple, Microsoft and other huge companies use. They don't take small accounts, though.

> Google

Google is a registrar themselves... Do you mean they use someone else for their own domains?

Google uses markmonitor:

Domain Name: GOOGLE.COM

   Registry Domain ID: 2138514_DOMAIN_COM-VRSN

   Registrar WHOIS Server: whois.markmonitor.com

   Registrar URL: http://www.markmonitor.com

   Updated Date: 2018-02-21T18:36:40Z

   Creation Date: 1997-09-15T04:00:00Z

   Registry Expiry Date: 2020-09-14T04:00:00Z

   Registrar: MarkMonitor Inc.

   Registrar IANA ID: 292

   Registrar Abuse Contact Email:

It probably looks like what Zoho should use..

Correct, MarkMonitor is a _huge_ business. Alphabet has had an account there for much longer than they have been a Registrar under Google name.

How exactly was that story of a man owning Google.com through Google domains for a few minutes possible, then?

He didn't own the name, he found a way to change the DNS records; while being registered at MM, google.com is still pointed to Google's own DNS servers.

A freak accident and lack of checks.

They're a reseller like everyone else. If I'm not mistaken they actually use eNom for customers buying domains on any of their platforms (though not for their own domains).

They're a reseller for some TLD's, and a registrar for others.

Wasn't aware they'd finally taken the plunge. Thanks for the correction.

Doesn't seem to be true, for my domain registered at Google:

Registrar: Google Inc.

Registrar IANA ID: 895

Registrar Abuse Contact Email: registrar-abuse@google.com

Registrar Abuse Contact Phone: +1.8772376466

Verify yourself at: https://www.iana.org/assignments/registrar-ids/registrar-ids...

Zoho is Zoho Corporation Private Limited IANA ID: 3803

I get emails for a friend's domain that was originally registered through Google Apps (G Suite) many years ago, and I see emails with "enom" in them going back all those years.

That’s before Google domains hit off

Cloudflare Secure Registrar. Few people know that Cloudflare operates a registrar, but they do. The pricing is $enterprise, as it should be:

"Cloudflare Registrar is the highest level of registrar security. It protects your organization from domain hijacking with high-touch, on and off-line verification of any changes to your Registrar account. Cloudflare is an ICANN accredited registrar providing secure domain registration for high-profile domains."

Gandi.net, located in France with strong privacy. And a good API (the new version)

which registrars are these?

I don't like to give recommendations since it either mean promoting the company I work at which just feels like mixing professional and private, or promoting competitors which just feel worse. Instead I prefer giving general advice on what to look for when picking a registrar.

Having a personal contact at the registrar for example might sound unnecessary, but it means that a person at the registrar should know the company involved and the impact of the domain or domains before any serious action like suspension are made. In large and bulk like registrar this isn't the case and as such no one likely knew what Zoho.com was or how many users it would effect. It was likely just an other $10 annual fee among millions of other domains, and as such it is very easy to just suspend and forget and later try fix any issues if those are raised. Cheap and quick solution but very costly if the owner values the domain name above that of $10.

Hey mate,

I've always been a bit perplexed as to how registrar's are created. How could I become a registrar?

Any advise or resources to explore this very open question would be wonderful.

Cheers J

Basically, you have to go through the ICANN accreditation process, which is documented here:


The cheaper, and easier way, if you're looking to start selling domains with a lower barrier to entry (but less control over how much you pay/how you sell your domains) is to find a white-label reseller registrar.

> I've always been a bit perplexed as to how registrar's are created. How could I become a registrar?

In all that time of being perplexed, you never thought to do a simple Google search? https://www.google.com/search?q=how+registrar%27s+are+create...

Thanks for your response Micheal. That's an interesting website. I'll take a look!

Are you a bot?

The first aspect is that every* TLD has it own registry and system. For the generic ones you got ICANN accreditation process, but there is also a bunch of registrar reseller that act as a middle man between ICANN and other registrars.

Usually most processes involve some form of capital investment and/or technical capability. Country specific TLD can either be easier or much much harder depending on which country.

* Not really everyone.

The hell are you complaining about unreachable contacts when your own abuse@ address is dead -

    Arrival-Date: Thu, 30 Aug 2018 00:00:00 +0200 (CEST)

    Final-Recipient: rfc822; abuse@zohocorp.com
    Original-Recipient: rfc822;abuse@zohocorp.com
    Action: failed
    Status: 4.7.1
    Remote-MTA: dns; mx2.zohocorp.com
    Diagnostic-Code: smtp; 451 4.7.1 Greylisted, try again after some time
This is from our MTA after 5 (FIVE) days of trying to deliver you a spam report, with all delivery attempts originating from the same IP.

And that's without getting into why you have a filter on your abuse@ address to begin with.

If I had to guess they're probably rejecting the message further because it likely contains the spam itself.

This is a key error in their handling of their abuse@ address, it needs to be expected to receive spam.

But if the diagnostic code were correct and it were just a grey listing, that would be okay, wouldn't it? Just clashes with the mentioned five days.

Dear User,

Thank you for bringing this up. It was due to our greylist setting for *@zohocorp.com domain, we have now excluded the greylist for abuse addresses. Please resend your complaint to our abuse address. Regards, Zoho Account and Abuse Monitoring Desk.

Further you can report to us using https://www.zoho.com/report-abuse/

Zoho has 40M users and apparently $350M in revenue. Why are you using a consumer grade domain registrar[0]?

The gold standard for any enterprise is MarkMonitor. You can pick any other enterprise level service which would mean you don't resort to lowering yourself to begging on Twitter to find a contact at a pivotal service provider

This has damaged you beyond DNS propagation, I don't know how anybody in tech is going to take you seriously again without some serious action

[0] https://www.tierra.net/

Cut them some slack.

based on everything i've experienced and heard about Zoho i'd say this incident is a symptom of issues rather than a cause

Yep, this incident shows deeper problems. As an outsider, I now question their security team, their devops, their entire company and internal policies.

This is a huge oversight.

I was thinking the same. I hadn't even heard of Tierra until this post. Seems insane that Zoho would cheap out on a registrar.

I'd go with DYN.COM for all my domain and DNS needs for a million/billion(?) Dollar business such as this. No referral here, just advice.

This should be higher up in the comments. DNS is a seldom thought of security / point of failure. Dyn's whole business model is basically: we won't turn you off until we talk to you.

Except Oracle recently purchased DYN. It will be interesting to see if they maintain their previously good reputation.

Recently attended a meeting led by a DYN executive, he seemed very passionate about what they do.

Mirai was an extremely rare event. I understand businesses were impacted, but it's unfair to hold a three-year grudge against any Mirai victims who are otherwise responsible infrastructure operators.

This happened to us (Weebly) years ago when we had godaddy as our registrar. I highly suggest you transfer your domain to someone competent like Safenames or MarkMonitor.

Sridhar, after this nightmare is over, move all your domains to MarkMonitor

Transfer your domain to a major registrar. Tierra.net looks like some bs cheap registrar and doesn't have any social media updates on their accounts since 2017. I'd recommend Namecheap.

Even a solid company like Namecheap wouldn't actually be appropriate for a large, enterprise corporation such as Zoho.

What would you recommend?

When I worked as an SRE at Stack Overflow we used name.com for all our domains (and R53/GCP/Azure for DNS). Never had any issues, and worth adding to any short list you come up with.

If you do whois lookups against the top 50 websites you'll see a lot of them use a small set of registrar's. But not all of them accept small businesses.

I use name.com for all my personal domains because it's cheap and supports a lot of unusual TLDs. But I would never trust a $100M company to it. Who cares about saving ~ $100/year.

Probably something similar to CSC Global.

Why not?

Probably because you want enterprise grade support, a real person that you can call and will help you solve your problems without having to deal with low level support before.

Namecheap is just as bad, check out https://news.ycombinator.com/item?id=14139288

I almost has a domain frozen with namecheap after one warning. If I missed the warning email or checked my email after 24 hours they would have completely suspended my domain. I'm talking about a site with MILLIONS of visitors per month and ten thousands of posts per day, not some small blog.

social media updates is not the best marker of current business activity.

Perhaps. But surely they've run into some sort of technical issue from time to time. Isn't posting such to Twitter a reasonable expectation? I mean, if they don't want to proactively communicate with customers, maybe they have a culture where they don't want to hear from customers at all? Hello Google ;)

I get the feeling a lot of folks ended up there from Domain Discover which had good ratings back in the day. They actually aren't that cheap.

I don't recommend Namecheap. A few months ago they dumped all of my private information erroneously, including physical address, for a whois guarded domain. They admitted to it too and all they offered me was $100 in Namecheap credit.

Spoke with lawyers and from what i was told in consultations there's basically nothing I can do about it.

TL;DR Namecheap will endanger your family and they give 0 fucks.

Handshake.org is trying to solve this problem for good by decentralizing DNS at the root TLD level. I'd look into this if you want to make sure no one takes down your domain ever again.

Disclosure: we're building a registrar on top of Handshake. We can also help you claim "zoho" on Handshake for free if you're interested.

I'm sure that Zoho has many talented engineers, but to manage abuse on the scale of 40M users you might benefit from engaging with one of the firms that specializes in this area.

We(Gridmarkets) use multiple Zoho services and are a very satisfied customer. Would like to say we understand and stand by you as you sort this issue out.

> Once we dig our way out of this, we will find ways make sure no one takes down our domain again this way.

Would look forward to an official email with regard to what steps were taken to mitigate this going forward.

Zoho user since 2006.

Thank you for responding to this quickly. I saw this just a little while ago; I use Zoho Writer and Show for presentations and team-based doc editing and I have for the last decade. If Zoho goes down, I'd be very much lost. Thanks for providing a great service for this many years and I hope it keeps going for many more.

I think it's pretty good that you came to ycombinator yourself!

I wish you the best of luck once you catch up with the CEO of Tierranet (or perhaps you already have!)

Ted from Namecheap here. I shot you an email. We'd be happy to help you out and ensure that your domain is locked down.

Hi Ted.

This event seems to have been triggered from abuse complaints - and involved the registrar not reaching out to the client in question.

Curiously enough, I had a very similar incident with Namecheap last week: an unsubstantiated email (without subpoena, judge's order, or even validation of who actually sent the email) - was sent to namecheap abuse /alleging/ (correct, no proof) trademark infringement.

Namecheap rolled over and provided all information to the third party - and didn't bother to inform me of the incident. The only way I found out was a menacing legal letter using the address that I have on file at namecheap.

If Namecheap doesn't respect due process (ie, requiring legal documents to turn over customer information) or customer privacy (Hi, we have just had to turn over information) - on a 10+ year customer, I'm not sure that you're in a better position than Terra.

Severely disappointed with you guys.

I obviously can't comment on this without any further information but I have to say that this sounds quite unusual. We have very strict policies regarding due process: https://www.namecheap.com/legal/general/court-order-and-subp...

Can you shoot me an email? ted [at] namecheap.com

Doesn't seem very strict at all:

"Upon the receipt of a valid criminal subpoena, unless the circumstances or subpoena warrant otherwise, Namecheap may promptly notify the customer whose information is sought via email or U.S. mail"

Two things seem unclear:

1) The phrase "unless the circumstances or subpoena warrant otherwise"

2) The use of "may" in "may promptly notify the customer". Why is that not "shall" or "must"?

I believe that's for criminal subpoenas. For civil subpoenas they actually change #2 to "will." However in my experience they never notified me.

"Upon the receipt of a valid civil subpoena, Namecheap will promptly notify the customer whose information is sought via email or U.S. mail. If the circumstances do not amount to an emergency, Namecheap will not immediately produce the customer information sought by the subpoena and will provide the customer an opportunity to move to quash the subpoena in court. Namecheap reserves the right to charge an administration fee to the customer by charging the customer’s Namecheap account."

Here is the second victim with a similar story: https://news.ycombinator.com/item?id=18063667

Is the problem systematic?

Email sent. I'd love to be mistaken on this. As re-iterated in the email, the email + address used in subsequent C&Ds were to a personal address only used in NC.

Don't take Ted up on his offer. Namecheap released all of my personal information erroneously and all they offered me was $100 in Namecheap credit.

This company literally has 0 morals and doesn't care about making sure people are treated right. Also, good luck getting through their regular support. It's straight from a script with 0 deviations.

Namecheap is just as bad.

I run a forum site with MILLIONS of visitors and about 5,000 TB of traffic per month. Namecheap.com suddenly sent me a link warning that they will suspend my domain completely within 24 hours, if I did not delete two problem images (which were inappropriate/troublesome images but in the context of the forum posts, "a very poor attempt at humor"). I deleted the images and avoided being suspended, but the way they threatened to suspend my domain due to two images was ridiculous. If I missed the warning email or checked my email after 24 hours they would have completely suspended my domain. I'm talking about a site with MILLIONS of visitors per month and ten thousands of posts per day, not some small blog.

They may be suitable for some blog, but I can now say to NEVER use them for any enterprise site.


btw, I just noticed that Zoho.com domain TLS certificate expires next year. Hope you have automatic checks for the timely renewal.. I have been a fan of Zoho and hope you make a comeback.

I highly recommend AWS Route53 domains paired with their DNS service. Pay for the AWS support plan so you can call. I suspect Zoho is a multi-million dollar company at this point, should not be using a discount registar.

This was registrar level, not nameserver level.

AWS Route 53 provides full registrar services for a while now.

They use Gandi iirc, they are not a registrar themselves.

Sure they are, if you register a .com the registrar is "Amazon Registrar, Inc." since 2016 or so (https://www.icann.org/registrar-reports/accredited-list.html). For some other TLDs, they might outsource it.

$400M PA reportedly...

Is zoho.eu also affected by this?

change registrars ASAP!

Also, this is why I think DNS should be decentralized.

If you’re providing email service, you should be actively monitoring public blacklists, not waiting for your registrar or hosting company to notify you. Even if your domain isn’t banned, your users’ emails may be bounced by other servers. That you don’t seem to know any of this means you aren’t employing the right people.

I'm pretty sure you're over inferring stuff from that post. It's not credible that 20+ years old company serving email for millions of users wouldn't know the most basic stuff about running an email server, don't you think?

And yet here we are.

You should consider using Google Domains. There’s literally no company that’s more professional in this regard.

As a small start up when we ran into a similar problem while using google domains, they gave us a very hard time with bad support...something we could not afford then. I dont have a good alternative but wanted to mention this experience with google domains. Hope that helps.

Yes, all of these possibilities are under investigation. We have just recently secured ICANN approval to be a domain registrar. With our scale, this has become important now.

It's kinda crazy that you have to become a domain registrar to circumvent problems like these in the future....

It is more likely Zoho is getting into/already in the business of selling domains and hosting as part of their portfolio and that's why they are becoming a registrar.

Google is their direct competitor.

This isn't really a problem for companies the size of Google - while they may well refuse service to competitors or prohibit usage via terms of service, if they do allow a competitor on board there's no way they treat them any differently - there will be huge legal ramifications of they do.

I'm sure many of their employees can also use Android phones.

Google is far too omnipresent to just ignore.

Google is a company with a horrendous customer support history.

For most of history Google offers essentially no support. Recently Google has started making phone support available for Google Ads (AdWords) putting a contact number on their customer facing website.

Maybe domains registered more recently work differently, but my Google domains use a random user account generated by Google for eNom (the provider they were contracting with at the time). That makes each domain it's own virtual customer (I couldn't just login to eNom or Google see a list of all my domains). I need to log into Google Domains as a separate account for each domain, and then that takes me to GSuite which links to eNom.

Also, last I checked, unlocking a domain for transfer to another registrar required emailing Google/eNom. There's no interface for it. For a while the entire UI to choose to cancel a domain just disappeared as well.

I would not recommend Google Domains.

Could you elaborate on your view that Google Domains is the most professional company for this kind of issue?

Google doesn't even use google domains.

Well when Google bans you, you will simply find no recourse. Google is pretty shitty company when support is needed.

The importance of using a reliable registrar can't be overstated. tierra.net looks like a small company, without 24hr support, and with an abandoned social media presence. Why would a company with 40M users use a tiny registrar to save 2 bucks on a domain name?

They probably registered the name very early in their corporate life. At some point, they had a real business, and a business critical domain name, but they didn't realize they needed to do something different. My CEO registered our business names at network solutions, sigh.

Anyway, as a wakeup call -- if you have a business critical domain name, you need to find (and use) a registrar that has a registry lock procedure for the TLD you're in. A registry lock means the registry won't process changes from your registrar unless you authorize them, which makes it a lot harder to change things on purpose, or by an attacker. I imagine abuse takedowns could still go through though -- but there will at least be more people who know you care about your domain.

I can understand if they're a cement company with a website. Zoho is in the business of email with @zoho.com emails. This is a huge oversight which makes me question their whole company and how things might be internally.

This was not the company used. The domain registrar market has gone through consolidation and it ended up here. We have been moving domains and this is a cautionary tale for us.

I've been very happy with MarkMonitor. They have good customer service, a good reputation, and best of all, they auto-renew domains and send an invoice. That means that the failure mode is "domain is renewed, I owe them a check."

If your domains are riding on a credit card, you potentially have a failure mode of "card was declined, my domain did not renew, everything is down."

How much does markmonitor cost ? There is no pricing anywhere.

My invoices say $20/yr per .com; other TLDs are more expensive. Because we have a ton of domains we spend over $20k a year with them. I'm sure there is a minimum but I don't know what it is these days.

I would not say MarkMonitor is a tool for startups. It's a tool for organizations that would lose a lot if they lost a domain. I bet Zoho wishes they could go back in time and spend $10k to avoid this problem they had.

Back in 2014 they wanted a $10k/yr minimum.

I’m guessing that’s an indication that it’s prohibitively expensive for small organisations?

and then someone steals the domain out from under you and you'll need to pay in bitcoins to get it back.

You would be surprised how prevalent these problems are even with supposedly reputable registrars.

A commonly recommend option here in HN was NameCheap. Earlier this year without any notice they modified our DNS servers completely taking down our SaaS product.

Why? Some migration script run incorrectly.

They offered me a random TLD for free for one year as compensation! I declined.

You seem to imply that reliable ≠ small, and that small registrars are cheaper.

In my experience, the opposite is true in both cases. Big registrars can’t afford any support costs since they prefer to squeeze the price down as far as possible, and therefore they prefer to simply lose or outright drop any customer in case of any and all problems. Conversely, small registrars may charge more, but have better (i.e. actually existing, and sometimes even dedicated and personal) support for when things go wrong, and have a vested interest in keeping you as a customer.

Well, of course. Look what business Zoho is in.[1]

"Email marketing software that drives sales. Create, send, and track email campaigns that help you build a strong customer base."

They don't have 40 million users. They have 40 million targets.

Of course they don't get many complaints. If you search for "zoho opt out", you get sent to a page with a HTTP 400 error.[2]

[1] https://www.zoho.com/campaigns [2] https://help.zoho.com/portal/kb/articles/what-does-email-opt...

[2] Works fine for me.

Also, Zoho is among the most trustworthy companies list of mine. They don't do funny business with AI and targeted Ads with your data.

You try, you pay and you use the software. Traditional, no-nonsense business model. I respect both Apple & Zoho for doing this. Just because Apple has a platform to run ads (The App Store), it doesn't mean Apple is in the advertising business.


The "email opt out" [2] link is fixed now.

No, it's not. Nothing in "help.zoho.com" seems to work.

400 Bad Request in Firefox.


    curl https://help.zoho.com
    <head><title>400 Bad Request</title></head>
    <body bgcolor="white">
    <center><h1>400 Bad Request</h1></center>

This is a hard lesson for people that no matter how resilient your authoritative DNS infrastructure is, for your own nameservers (plus route53 or similar), your domain registrar is absolutely a single point of failure.

If you have something with 40M customers I'd highly recommend going with the same domain registrars used by some of the Fortune 100 companies.

Seizing a domain at the registrar level, by court order, is also how the US government implements "seizure" of domains, if you've ever seen a torrent index site that has suddenly been replaced with a big scary FBI page (examples: https://www.google.com/search?q=this+domain+has+been+seized+... )

I believe DNS/domain name is really a problem that could be better served using a blockchain technology. The registers can't be trusted

Namecoin is a good example of this - decentralised domain registrations using the .bit TLD.

Namecoin is cool but I think there are still big issues to be fixed, like renewals/pricing to avoid one person getting all the good domain/sane names.

Yeah you're right - Namecoin has a massive squatting problem. It costs only pennies to register a name which doesn't help.

One possible solution is a proof of work for name registrations, similar to the Onion Name System [1]. There is a short talk by Jesse Victors that explains it nicely [2].

[1] https://github.com/Jesse-V/OnioNS-HS

[2] https://youtu.be/zZzOVKPcIMg

Aha! I was wondering when someone would say this!

I really hope https://handshake.org will catch on. It has the potential to solve a few very hard problems (PKI and online identity) without fundamental changes to the way the Internet works.

This is why you register your domain with MarkMonitor or Cloudflare. I cannot comprehend why they were so stupid to use a registrar that is not corporate oriented. This is just unreal.

The domain was registered in 2004; MarkMonitor was around then, but Cloudflare wasn't. I was involved in moving a domain to MarkMonitor in 2013; at that time, they had a rather steep minimum spend to get on their platform, and they barely wanted to talk to us.

You can transfer a domain name to a different registrar.

That's a lot of strong words in a short comment for an honest mistake. I don't think this is called for with pretty much any unintentional error where we don't know the exact background.

When you have 40M users, this is an inexcusable oversight. It points at Zoho having an incompetent CIO role. An experienced and appropriately paid CIO would most definitely have had this near the top of his or her list years ago.

Do you happen to know how much Cloudflare charges for this?

What is the startup friendly markmonitor alternative here ? I don't see pricing information at a lot of these services ...so I'm guessing they are $$$$$$.

Anything which startups can use and is $$ ?

Couple of things about Zoho that I don't understand.

- Why use the same domain for the free service, which is usually more prone to abuse?

- Zohocorp.com is hosted on GoDaddy. Why not move all your domains to a single company so that they value your business more and give you a better level of customer service?

I hope once this is all over, Zoho just shares their feedback and some advices that will help small businesses.

I’ll add another. Why do they use the same domain for both MX records? Why not use mx.zoho.com, mx.zoho.net so that if one domain gets busted at the registry level the backup MX still works?

Perhaps a reliable CCTLD for the alternative, so it's not under the US government.

I noticed Amazon use a UK domain for one of the four Route 53 nameservers they specify.

Its not like Zoho is known for their high availability anyways, their domain not being reachable is just par for the course.

Also since it said "suspended for abuse complaint", I would almost immediately assume the Zoho just didn't properly handle abuse claims and its their fault.

Needless to say I have a incredibly low opinion about their "service" based on having used their mail product for almost a year (switched to google afterward).

So as a domain owner you are completely at the mercy of your registrar?

What is considered a reliable registrar in Europe?

> What is considered a reliable registrar in Europe?

I heard a lot of good things about German INWX[1], even though French Gandi[2] is more popular and is the registrar of ycombinator.com (and was the registrar of reddit.com until recently, before they moved to MarkMonitor).

[1] https://www.inwx.de/en

[2] https://www.gandi.net/en

I can highly recommend INWX. What I like about them is that the service they provide is domains only (I don't consider their web hosting offers [1] seriously). Thus no conflict of interest and resources are focused on a good domain service.

[1] https://www.inwx.de/en/hosting

For private or business use?

Privately I’m pretty happy with Namecheap, they never failed to provide the support I needed in a friendly and precise manner. For business purposes with high value domains MarkMonitor seems to be the industry leader.

I love namecheap - customer for over 10 years - but a recent incident has me rethinking my patronage. We recently received a "lawyer DDOS" - where a law firm sent multiple letters claiming /alleged/ trademark infringement. Without proof of identity, proof of subpoena, judge's order - whatever - namecheap rolled over on their WHOIS protection. There was no dialog, no email from legal, nothing.

I was dismayed to see that someone can literally send one email, get your personal info, and impact your company.

Very disappointed in namecheap.

I am also on namecheap and this freaks me out. can you provide more info?

Read my comments too. Namecheap definitely is just as bad.

Read some of my comments, they did the same to me.

Both seem to be US companies. What levarage do you have over them if they screw you? I would say none. Suing a company overseas is pretty much impossible.

Ah I see, beg your pardon, I misunderstood your question. If you’re looking for domain registrars located in Europe I can only suggest one as I don’t have much experience dealing with others. Epag [1] has always been nice to deal with.

[1] - https://www.epag.de/en/

Incredible. Their registrar (TierraNet) has some explaining to do.

I hope they move to a proper domain register after this...

The lack of decent options of domain registers for technical people that don't need their hand held and have decent security, while not being $$$$ enterprise options is depressing...

I use Uniregistry which has TOTP support and what seems to be a competent team, and a friend swears by AWS's Route53 domain registration, but more choices with actual good policies and aren't just a reseller would be welcome.

I've had similar issues when operating my business. The bottom line is your company is only as strong as your vendors. If you pick weak vendors then your business is harmed as a result. If you find that you have a weak vendor then you must dump that vendor immediately and replace them with someone who is a strong vendor. Period.

A whole lot of people are learning about the hazards of centralization in email lately. First Google turns GMail into a slow-loading nightmare for weaker computers like mine, then they announced the closure of Inbox. Now 40 million people are without email because Zoho couldn't keep up with registrar consolidations (https://news.ycombinator.com/item?id=18060013).

Zoho is fine as a service, but a domain suspension shouldn't cut tens of millions of people off from email.

I agree this is unacceptable. We are figuring out ways to make this more resilient - we host third-party domain mails, and we could map those domains directly without involving our domain. That could be one solution. We have learned a serious lesson here.

Steal GitLab's business model and let people/companies self-host their own Zoho.

Nothing about self-hosted licensed software is unique to Gitlab, it's been a standard business model since the software industry started decades ago.

I know. I used GitLab as an example because git is as ubiquitous in development as email and just as prone to centralization. Plus, the recent funding news made it the most obvious example since people are concerned.

I wouldn't say Zoho is one of the ones enjoying "centralized" status. If you said so of Google or Microsoft, or in the past perhaps Yahoo, then in the western world that's true; but I can only vaguely recall ever hearing of Zoho, let alone see an email address of theirs used by anyone.

While email is getting harder to run yourself due to all the bad actors, with dozens of reasonable choices (plus the option to self-host like I do) you can hardly call it centralized.

> A whole lot of people are learning about the hazards of centralization in email lately.

What is the alternative?

I don't know, I'm not an email geek. Lots of smart people run their own email systems and report good delivery rates going by past threads here. Maybe they can work together on something more accessible.

https://mailinabox.email/ has worked well for me in the past

In case this is a serious question: federation, with servers kept running by stakeholders of whatever the email's needed for.

This is pretty bad service from Tierra registrar. I am taking this as a cautionary tale for everyone. Domain registrar have way too much power. A back up domain in case things go south, should be a must.

I really don't understand why any enterprise service would use these kinds of bargain bin registrars. Is using a reputable registrar with professional, enterprise-grade service not worth it given the scale of someone like Zoho? Optimizing to save a tiny amount on your registrar while you have millions pouring in from customers seems like a really poor decision.

I really believe in running a lean business, but running lean means cutting the fat, not cutting out your muscles and tendons and running with a naked skeleton that is fragile.

Reading through the thread, people have similar problems with namecheap, name.com.

So if you cant afford something enterprise like MarkMonitor, and you don't want something super cheap $9.99 per year. What sort of good quality middle ground choices do we have?

40M users doesn't really give a good idea of how significant 3 complaints are. Still it sounds like some additional screening and protection against phishing needs to be implemented on Zoho's side.

ZOHO went down and hundreds of thousands of business went down...feel like this should be a bigger warning of how dependent we are to handful of companies?

I feel that once you’ve passed a certain size you should move the domain to a more professional service, no matter the cost. MarkMonitor etc.

Wow, Zoho is down a second time today now with a 400 Bad Request...

Direct IP?

Got a major sales push today, looking for a bandaid.

Is there a blockchain for DNS?

I believe OpenNIC was something like that.

Like namecoin? or https://handshake.org

Running their DNS on a 2-bit registrar is exactly the kind of thing I have come to expect from Zoho. I am forced to use this company for a handful of services at my company. If I started to tell you the idiocy I've had to put up with from these guys, I'd never stop ranting. I'll save it for DevRant.

The domain was registered over 22 years ago, and it kept moving through registrars who were acquired. We do have a solid record of reliable services, and have kept growing in spite of never taking a dime in outside capital.

To me this is even worse than choosing a bad registrar once by mistake. You keep choosing companies who can't stay in business and let your domain float around like it didn't matter. The second or third buy-out of your name registration should have been an alert to switch to a top tier company for stability. On the internet, your domain name is literally the crux of your services.

Thank you for sharing your story. It should serve as a warning to others who may need to audit their infrastructure.

Honest question: What exactly does it mean for a registrar to block a domain? I believed so far that for my browser to successfully connect to a web server running on a domain or for a mail server to deliver email to a domain, there should only be valid A, AAAA, MX, and/or CNAME records in the DNS.

Was it really a block at the registrar level or was it a block at the DNS level, i.e., the registrar also ran DNS service and their DNS service refused to return responses for zoho.com domains?

At what layer or at which stage of the protocol can a registrar disrupt this and take a domain offline?

There are several layers where a registrar has control over DNS resolution.


ICANN: The organization responsible for coordinating the maintenance of the domain name system (among other things).

Registrar: A company authorized to update ICANN database on behalf of registrants. Google, GoDadddy, Enom, etc are registrars

Registrants: An entity that wants to register a domain name. In this case, Zoho is a registrant, but it could also be an individual. This is your role if you 'own' a domain.

Authoritative Name Server: A domain name server that is considered authoritative for a specific domain.

Stuff registrars can do (among other things):

1.) They can update the ICANN database to disable a domain completely[1]

2.) They can replace your authoritative name servers with their own or someone else's (ex: botnet domains being reassigned to a security company for dismantling via court order)[2]

3.) If the authoritative name servers for a domain are owned by the registrar, then the registrar can merely change the DNS entries themselves to point to something other than the domain owner's wishes.

[0] - https://en.wikipedia.org/wiki/ICANN

[1] - https://www.icann.org/resources/pages/epp-status-codes-2014-...

[2] - https://www.icann.org/en/system/files/files/guidance-domain-...

The registrar maintains the records that specify which nameservers, i.e. DNS servers, will resolve names for that domain. The registrar simply changes that record to point to nameservers that they operate, and with DNS entries that “take it offline”.

I'm not seeing a block at the moment. I did find a whois history page that claims their NS records in January, 2018 are the same as what I'm seeing now:

Those don't appear to be connected to the registrar (tierra.net); most likely the NS records were removed or replaced with servers that direct all queries to a parking page for abusive domains. The TLD servers for com. return a 2 day TTL for all glue records, and their SOA record indicates a 1 day negative TTL.

(Of course, some caching resolvers ignore TTLs :( )

I assume the registrar was also the nameserver in this case

Am I seeing things or is dig really telling me their NS records pointed to vtitan.com? Who the hell is vtitan? Route53 with AWS would run them what, $100 a month for their level of traffic?

> vTitan, an international company with offices in California, Singapore and Tamil Nadu, is engaged in the development, manufacture, distribution and sales of a broad range of medical devices and consumables used in global healthcare markets.

what in the world?

Zoho appears to have funded it along with a few other companies. Unfortunately, the Indian news page that reported on the launch is even worse than news sites in the US with popups, pop-ins, pop-overs, pop-rocks, etc, so I can't in good conscience link it here.

Archive.org, for next time.


How many CEOs do you know that would have any clue who their domain registrar is? How many would know what a domain registrar is?

For a SaaS company, a domain registrar is part of the critical supply chain; if it fails, it creates an existential crisis to the business.

I think that warrants CEO visibility.

Ok, this is just a non-technical version of what @souterrain posted.

If I am the CEO of a local supermarket or a butchery, I don't need to know my domain registrar as they are not a major factor to my business. My website being down for 1 week also might not make a big difference. My customers deal with my company face to face.

But if I am a CEO of an "Internet company" and my customers deal with me via my "domain", I damn well ensure that I have a weekly quick call with the guy who could block my domain abruptly.

I am the CEO. Yes, this situation is unacceptable. Unfortunately domain registrars do have extreme power this way. It could happen to any domain.

If you can ask your team to write a detailed blog post on how you handled this situation and remedied it for future it would be a great help for many of us

this looks like a clandestine attempt of industrial sabotage meant to pressurize zoho. May be you refused investment or something? just asking...

But someone should have been reviewing the current state for cracks and weak links.

Along with a million other possible failure cases.

The line, "they should be fired" is so easily spoken by people who have never been in charge of something very big and involving many moving parts.

The fact is, anything of sufficient significance has innumerable potential failures waiting to happen. Even with the best, methodical effort, it is impossible to predict and protect against them all.

People who want to be angry at executives can direct their focus to the MANY huge companies that are actively evil and actively antagonistic toward their customers. Zoho should be way down on the list of targets.

I didnt say anyone should be fired.

The parent post suggested firing, and as your comment was a direct reply to the CEO, it's likely the replier thought it was a comment from the parent.

My bad if I replied to the wrong post. The indentations are quite small ony phone, so I may have goofed. My apologies.

It could happen to any domain of a company that use a registrar that nearly no one has ever heard of.

Sorry, OP was a bit too hard on you, but I think you have quite a bit of egg on your face for this one.

We detached this subthread from https://news.ycombinator.com/item?id=18059984.

Applications are open for YC Winter 2024

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact